Ubuntu - lftp will not connect to ftps site (Fatal error: gnutls_handshake: An unexpected TLS packet was received.)
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I have a specific ftps site that I cannot connect to with lftp.
When I attempt to connect I get the error:
Fatal error: gnutls_handshake: An unexpected TLS packet was received
When I use gnutls-cli to connect I have found the correct settings to negotiate and actually issue a USER command. What I am asking for is any pointers to the correct lftp configuration for the gnutls part so that it can authenticate correctly.
UPDATE: What I see happening is that when using gnutls-cli it selects the right MAC and cipher to be used:
|<4>| HSK[0x24073f0]: Selected cipher suite: RSA_3DES_EDE_CBC_SHA1
Unlike when being called from lftp is does not:
GNUTLS: ENC[0x1918cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
Below are my configurations and debug outputs from lftp and gnutls-cli:
lftp Configuration
lftp
set ssl:priority NORMAL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2
set ftps:initial-prot P
set ftp:ssl-allow yes
set ftp:ssl-force yes
set ftp:ssl-protect-list yes
set ftp:ssl-protect-data yes
set ftp:ssl-protect-fxp yes
set ssl:verify-certificate no
debug 999999999
open ftps://XXX.XXX.XXX.XXX:990
quote USER <username>
gnutls-cli Configuration
gnutls-cli --starttls-proto=ftp XXX.XXX.XXX.XXX -p 990 --no-ca-verification -d 5
*Some aspects have been anonomized, but nothing about the protocols *
lftp debug output
lftp
lftp :~> set ssl:priority NORMAL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2
lftp :~> set ftps:initial-prot P
lftp :~> set ftp:ssl-allow yes
lftp :~> set ftp:ssl-force yes
lftp :~> set ftp:ssl-protect-list yes
lftp :~> set ftp:ssl-protect-data yes
lftp :~> set ftp:ssl-protect-fxp yes
lftp :~> set ssl:verify-certificate no
lftp :~> debug 999999999
lftp :~> open ftps://XXX.XXX.XXX.XXX:990
---- Resolving host address...
buffer: EOF on FD 5
---- 1 address found: XXX.XXX.XXX.XXX
lftp XXX.XXX.XXX.XXX:~> quote USER <username>
FileCopy(0x1475a50) enters state INITIAL
FileCopy(0x1475a50) enters state DO_COPY
---- dns cache hit
---- attempt number 1 (max_retries=1000)
---- Connecting to XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX) port 990
GNUTLS: ASSERT: common.c:1110
..............
GNUTLS: REC[0x1918cd0]: Allocating epoch #0
GNUTLS: ASSERT: gnutls_constate.c:596
GNUTLS: REC[0x1918cd0]: Allocating epoch #1
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
GNUTLS: EXT[0x1918cd0]: Sending extension EXT MASTER SECRET (0 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension ENCRYPT THEN MAC (0 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension STATUS REQUEST (5 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SERVER NAME (17 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SAFE RENEGOTIATION (1 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SESSION TICKET (0 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SUPPORTED ECC (12 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
GNUTLS: EXT[0x1918cd0]: sent signature algo (4.1) RSA-SHA256
GNUTLS: EXT[0x1918cd0]: sent signature algo (4.3) ECDSA-SHA256
GNUTLS: EXT[0x1918cd0]: sent signature algo (5.1) RSA-SHA384
GNUTLS: EXT[0x1918cd0]: sent signature algo (5.3) ECDSA-SHA384
GNUTLS: EXT[0x1918cd0]: sent signature algo (6.1) RSA-SHA512
GNUTLS: EXT[0x1918cd0]: sent signature algo (6.3) ECDSA-SHA512
GNUTLS: EXT[0x1918cd0]: sent signature algo (3.1) RSA-SHA224
GNUTLS: EXT[0x1918cd0]: sent signature algo (3.3) ECDSA-SHA224
GNUTLS: EXT[0x1918cd0]: sent signature algo (2.1) RSA-SHA1
GNUTLS: EXT[0x1918cd0]: sent signature algo (2.3) ECDSA-SHA1
GNUTLS: EXT[0x1918cd0]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
GNUTLS: HSK[0x1918cd0]: CLIENT HELLO was queued [248 bytes]
GNUTLS: REC[0x1918cd0]: Preparing Packet Handshake(22) with length: 248 and min pad: 0
GNUTLS: ENC[0x1918cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
GNUTLS: REC[0x1918cd0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 253
GNUTLS: ASSERT: gnutls_buffers.c:1154
GNUTLS: REC[0x1918cd0]: SSL 50.48 Unknown Packet packet received. Epoch 0, length: 11603
GNUTLS: ASSERT: gnutls_record.c:572
GNUTLS: Received record packet of unknown type 50
GNUTLS: ASSERT: gnutls_record.c:1076
GNUTLS: ASSERT: gnutls_record.c:1158
GNUTLS: ASSERT: gnutls_buffers.c:1409
GNUTLS: ASSERT: gnutls_handshake.c:1446
GNUTLS: ASSERT: gnutls_handshake.c:2762
**** gnutls_handshake: An unexpected TLS packet was received.
GNUTLS: REC[0x1918cd0]: Start of epoch cleanup
GNUTLS: REC[0x1918cd0]: End of epoch cleanup
GNUTLS: REC[0x1918cd0]: Epoch #0 freed
GNUTLS: REC[0x1918cd0]: Epoch #1 freed
---- Closing control socket
quote: USER <username>: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
gnutls-cli debug output
gnutls-cli --starttls-proto=ftp XXX.XXX.XXX.XXX -p 990 --no-ca-verification -d 5
|<3>| ASSERT: common.c:1110...
Processed 173 CA certificate(s).
Resolving 'XXX.XXX.XXX.XXX'...
Connecting to 'XXX.XXX.XXX.XXX:990'...
|<5>| REC[0x24073f0]: Allocating epoch #0
|<3>| ASSERT: gnutls_constate.c:596
|<5>| REC[0x24073f0]: Allocating epoch #1
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
|<4>| EXT[0x24073f0]: Sending extension EXT MASTER SECRET (0 bytes)
|<4>| EXT[0x24073f0]: Sending extension ENCRYPT THEN MAC (0 bytes)
|<4>| EXT[0x24073f0]: Sending extension STATUS REQUEST (5 bytes)
|<4>| EXT[0x24073f0]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<4>| EXT[0x24073f0]: Sending extension SESSION TICKET (0 bytes)
|<4>| EXT[0x24073f0]: Sending extension SUPPORTED ECC (12 bytes)
|<4>| EXT[0x24073f0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
|<4>| EXT[0x24073f0]: sent signature algo (4.1) RSA-SHA256
|<4>| EXT[0x24073f0]: sent signature algo (4.3) ECDSA-SHA256
|<4>| EXT[0x24073f0]: sent signature algo (5.1) RSA-SHA384
|<4>| EXT[0x24073f0]: sent signature algo (5.3) ECDSA-SHA384
|<4>| EXT[0x24073f0]: sent signature algo (6.1) RSA-SHA512
|<4>| EXT[0x24073f0]: sent signature algo (6.3) ECDSA-SHA512
|<4>| EXT[0x24073f0]: sent signature algo (3.1) RSA-SHA224
|<4>| EXT[0x24073f0]: sent signature algo (3.3) ECDSA-SHA224
|<4>| EXT[0x24073f0]: sent signature algo (2.1) RSA-SHA1
|<4>| EXT[0x24073f0]: sent signature algo (2.3) ECDSA-SHA1
|<4>| EXT[0x24073f0]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
|<4>| HSK[0x24073f0]: CLIENT HELLO was queued [227 bytes]
|<5>| REC[0x24073f0]: Preparing Packet Handshake(22) with length: 227 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 232
|<3>| ASSERT: gnutls_buffers.c:1154
|<5>| REC[0x24073f0]: SSL 3.1 Handshake packet received. Epoch 0, length: 950
|<5>| REC[0x24073f0]: Expected Packet Handshake(22)
|<5>| REC[0x24073f0]: Received Packet Handshake(22) with length: 950
|<5>| REC[0x24073f0]: Decrypted Packet[0] Handshake(22) with length: 950
|<4>| HSK[0x24073f0]: SERVER HELLO (2) was received. Length 77[946], frag offset 0, frag length: 77, sequence: 0
|<4>| HSK[0x24073f0]: Server's version: 3.1
|<4>| HSK[0x24073f0]: SessionID length: 32
|<4>| HSK[0x24073f0]: SessionID: 000003031e05c5fea2ec00000000000000000000000000005b69ab4d00000001
|<4>| HSK[0x24073f0]: Selected cipher suite: RSA_3DES_EDE_CBC_SHA1
|<4>| HSK[0x24073f0]: Selected compression method: NULL (0)
|<4>| EXT[0x24073f0]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
|<4>| HSK[0x24073f0]: Safe renegotiation succeeded
|<3>| ASSERT: gnutls_buffers.c:1154
|<4>| HSK[0x24073f0]: CERTIFICATE (11) was received. Length 861[865], frag offset 0, frag length: 861, sequence: 0
|<3>| ASSERT: gnutls_buffers.c:1392
|<3>| ASSERT: extensions.c:65
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
|<3>| ASSERT: dn.c:250
|<3>| ASSERT: dn.c:250
|<3>| ASSERT: extensions.c:65
- subject `<example.cert>', RSA key 1024 bits, signed using RSA-SHA1, activated `2009-09-10 00:00:00 UTC', expires `2021-04-24 23:59:59 UTC', SHA-1 fingerprint `555555555555555555555555555555555555555'
Public Key ID:
PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Public key's random art:
+--[ RSA 1024]----+
| o.o |
| .= E.|
| .B.o|
| .= |
| S = .|
| . o . .= |
| . . . oo.|
| . o+|
| .o.|
+-----------------+
|<3>| ASSERT: gnutls_buffers.c:1154
|<4>| HSK[0x24073f0]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0
|<3>| ASSERT: gnutls_buffers.c:1145
|<3>| ASSERT: gnutls_buffers.c:1392
|<3>| ASSERT: gnutls_buffers.c:1374
|<3>| ASSERT: extensions.c:65
|<4>| HSK[0x24073f0]: CLIENT KEY EXCHANGE was queued [134 bytes]
|<4>| REC[0x24073f0]: Sent ChangeCipherSpec
|<5>| REC[0x24073f0]: Initializing epoch #1
|<5>| REC[0x24073f0]: Epoch #1 ready
|<4>| HSK[0x24073f0]: Cipher Suite: RSA_3DES_EDE_CBC_SHA1
|<4>| HSK[0x24073f0]: Initializing internal [write] cipher sessions
|<4>| HSK[0x24073f0]: recording tls-unique CB (send)
|<4>| HSK[0x24073f0]: FINISHED was queued [16 bytes]
|<5>| REC[0x24073f0]: Preparing Packet Handshake(22) with length: 134 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[2] Handshake(22) in epoch 0 and length: 139
|<5>| REC[0x24073f0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[3] ChangeCipherSpec(20) in epoch 0 and length: 6
|<5>| REC[0x24073f0]: Preparing Packet Handshake(22) with length: 16 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 45
|<5>| REC[0x24073f0]: SSL 3.1 ChangeCipherSpec packet received. Epoch 0, length: 1
|<5>| REC[0x24073f0]: Expected Packet ChangeCipherSpec(20)
|<5>| REC[0x24073f0]: Received Packet ChangeCipherSpec(20) with length: 1
|<5>| REC[0x24073f0]: Decrypted Packet[1] ChangeCipherSpec(20) with length: 1
|<4>| HSK[0x24073f0]: Cipher Suite: RSA_3DES_EDE_CBC_SHA1
|<3>| ASSERT: gnutls_buffers.c:1154
|<5>| REC[0x24073f0]: SSL 3.1 Handshake packet received. Epoch 0, length: 40
|<5>| REC[0x24073f0]: Expected Packet Handshake(22)
|<5>| REC[0x24073f0]: Received Packet Handshake(22) with length: 40
|<5>| REC[0x24073f0]: Decrypted Packet[0] Handshake(22) with length: 16
|<4>| HSK[0x24073f0]: FINISHED (20) was received. Length 12[12], frag offset 0, frag length: 12, sequence: 0
|<5>| REC[0x24073f0]: Start of epoch cleanup
|<5>| REC[0x24073f0]: Epoch #0 freed
|<5>| REC[0x24073f0]: End of epoch cleanup
- Description: (TLS1.0)-(RSA)-(3DES-CBC)-(SHA1)
- Session ID: 00:00:03:03:1E:05:C5:FE:A2:EC:00:00:00:00:00:00:00:00:00:00:00:00:00:00:5B:69:AB:4D:00:00:00:01
|<3>| ASSERT: server_name.c:298
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: 3DES-CBC
- MAC: SHA1
- Compression: NULL
|<3>| ASSERT: status_request.c:350
|<3>| ASSERT: gnutls_ui.c:797
- Options: safe renegotiation,
|<3>| ASSERT: srtp.c:317
|<3>| ASSERT: alpn.c:227
- Handshake was completed
|<3>| ASSERT: status_request.c:350
- Simple Client Mode:
ubuntu ssl lftp gnutls
add a comment |Â
up vote
1
down vote
favorite
I have a specific ftps site that I cannot connect to with lftp.
When I attempt to connect I get the error:
Fatal error: gnutls_handshake: An unexpected TLS packet was received
When I use gnutls-cli to connect I have found the correct settings to negotiate and actually issue a USER command. What I am asking for is any pointers to the correct lftp configuration for the gnutls part so that it can authenticate correctly.
UPDATE: What I see happening is that when using gnutls-cli it selects the right MAC and cipher to be used:
|<4>| HSK[0x24073f0]: Selected cipher suite: RSA_3DES_EDE_CBC_SHA1
Unlike when being called from lftp is does not:
GNUTLS: ENC[0x1918cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
Below are my configurations and debug outputs from lftp and gnutls-cli:
lftp Configuration
lftp
set ssl:priority NORMAL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2
set ftps:initial-prot P
set ftp:ssl-allow yes
set ftp:ssl-force yes
set ftp:ssl-protect-list yes
set ftp:ssl-protect-data yes
set ftp:ssl-protect-fxp yes
set ssl:verify-certificate no
debug 999999999
open ftps://XXX.XXX.XXX.XXX:990
quote USER <username>
gnutls-cli Configuration
gnutls-cli --starttls-proto=ftp XXX.XXX.XXX.XXX -p 990 --no-ca-verification -d 5
*Some aspects have been anonomized, but nothing about the protocols *
lftp debug output
lftp
lftp :~> set ssl:priority NORMAL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2
lftp :~> set ftps:initial-prot P
lftp :~> set ftp:ssl-allow yes
lftp :~> set ftp:ssl-force yes
lftp :~> set ftp:ssl-protect-list yes
lftp :~> set ftp:ssl-protect-data yes
lftp :~> set ftp:ssl-protect-fxp yes
lftp :~> set ssl:verify-certificate no
lftp :~> debug 999999999
lftp :~> open ftps://XXX.XXX.XXX.XXX:990
---- Resolving host address...
buffer: EOF on FD 5
---- 1 address found: XXX.XXX.XXX.XXX
lftp XXX.XXX.XXX.XXX:~> quote USER <username>
FileCopy(0x1475a50) enters state INITIAL
FileCopy(0x1475a50) enters state DO_COPY
---- dns cache hit
---- attempt number 1 (max_retries=1000)
---- Connecting to XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX) port 990
GNUTLS: ASSERT: common.c:1110
..............
GNUTLS: REC[0x1918cd0]: Allocating epoch #0
GNUTLS: ASSERT: gnutls_constate.c:596
GNUTLS: REC[0x1918cd0]: Allocating epoch #1
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
GNUTLS: EXT[0x1918cd0]: Sending extension EXT MASTER SECRET (0 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension ENCRYPT THEN MAC (0 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension STATUS REQUEST (5 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SERVER NAME (17 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SAFE RENEGOTIATION (1 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SESSION TICKET (0 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SUPPORTED ECC (12 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
GNUTLS: EXT[0x1918cd0]: sent signature algo (4.1) RSA-SHA256
GNUTLS: EXT[0x1918cd0]: sent signature algo (4.3) ECDSA-SHA256
GNUTLS: EXT[0x1918cd0]: sent signature algo (5.1) RSA-SHA384
GNUTLS: EXT[0x1918cd0]: sent signature algo (5.3) ECDSA-SHA384
GNUTLS: EXT[0x1918cd0]: sent signature algo (6.1) RSA-SHA512
GNUTLS: EXT[0x1918cd0]: sent signature algo (6.3) ECDSA-SHA512
GNUTLS: EXT[0x1918cd0]: sent signature algo (3.1) RSA-SHA224
GNUTLS: EXT[0x1918cd0]: sent signature algo (3.3) ECDSA-SHA224
GNUTLS: EXT[0x1918cd0]: sent signature algo (2.1) RSA-SHA1
GNUTLS: EXT[0x1918cd0]: sent signature algo (2.3) ECDSA-SHA1
GNUTLS: EXT[0x1918cd0]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
GNUTLS: HSK[0x1918cd0]: CLIENT HELLO was queued [248 bytes]
GNUTLS: REC[0x1918cd0]: Preparing Packet Handshake(22) with length: 248 and min pad: 0
GNUTLS: ENC[0x1918cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
GNUTLS: REC[0x1918cd0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 253
GNUTLS: ASSERT: gnutls_buffers.c:1154
GNUTLS: REC[0x1918cd0]: SSL 50.48 Unknown Packet packet received. Epoch 0, length: 11603
GNUTLS: ASSERT: gnutls_record.c:572
GNUTLS: Received record packet of unknown type 50
GNUTLS: ASSERT: gnutls_record.c:1076
GNUTLS: ASSERT: gnutls_record.c:1158
GNUTLS: ASSERT: gnutls_buffers.c:1409
GNUTLS: ASSERT: gnutls_handshake.c:1446
GNUTLS: ASSERT: gnutls_handshake.c:2762
**** gnutls_handshake: An unexpected TLS packet was received.
GNUTLS: REC[0x1918cd0]: Start of epoch cleanup
GNUTLS: REC[0x1918cd0]: End of epoch cleanup
GNUTLS: REC[0x1918cd0]: Epoch #0 freed
GNUTLS: REC[0x1918cd0]: Epoch #1 freed
---- Closing control socket
quote: USER <username>: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
gnutls-cli debug output
gnutls-cli --starttls-proto=ftp XXX.XXX.XXX.XXX -p 990 --no-ca-verification -d 5
|<3>| ASSERT: common.c:1110...
Processed 173 CA certificate(s).
Resolving 'XXX.XXX.XXX.XXX'...
Connecting to 'XXX.XXX.XXX.XXX:990'...
|<5>| REC[0x24073f0]: Allocating epoch #0
|<3>| ASSERT: gnutls_constate.c:596
|<5>| REC[0x24073f0]: Allocating epoch #1
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
|<4>| EXT[0x24073f0]: Sending extension EXT MASTER SECRET (0 bytes)
|<4>| EXT[0x24073f0]: Sending extension ENCRYPT THEN MAC (0 bytes)
|<4>| EXT[0x24073f0]: Sending extension STATUS REQUEST (5 bytes)
|<4>| EXT[0x24073f0]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<4>| EXT[0x24073f0]: Sending extension SESSION TICKET (0 bytes)
|<4>| EXT[0x24073f0]: Sending extension SUPPORTED ECC (12 bytes)
|<4>| EXT[0x24073f0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
|<4>| EXT[0x24073f0]: sent signature algo (4.1) RSA-SHA256
|<4>| EXT[0x24073f0]: sent signature algo (4.3) ECDSA-SHA256
|<4>| EXT[0x24073f0]: sent signature algo (5.1) RSA-SHA384
|<4>| EXT[0x24073f0]: sent signature algo (5.3) ECDSA-SHA384
|<4>| EXT[0x24073f0]: sent signature algo (6.1) RSA-SHA512
|<4>| EXT[0x24073f0]: sent signature algo (6.3) ECDSA-SHA512
|<4>| EXT[0x24073f0]: sent signature algo (3.1) RSA-SHA224
|<4>| EXT[0x24073f0]: sent signature algo (3.3) ECDSA-SHA224
|<4>| EXT[0x24073f0]: sent signature algo (2.1) RSA-SHA1
|<4>| EXT[0x24073f0]: sent signature algo (2.3) ECDSA-SHA1
|<4>| EXT[0x24073f0]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
|<4>| HSK[0x24073f0]: CLIENT HELLO was queued [227 bytes]
|<5>| REC[0x24073f0]: Preparing Packet Handshake(22) with length: 227 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 232
|<3>| ASSERT: gnutls_buffers.c:1154
|<5>| REC[0x24073f0]: SSL 3.1 Handshake packet received. Epoch 0, length: 950
|<5>| REC[0x24073f0]: Expected Packet Handshake(22)
|<5>| REC[0x24073f0]: Received Packet Handshake(22) with length: 950
|<5>| REC[0x24073f0]: Decrypted Packet[0] Handshake(22) with length: 950
|<4>| HSK[0x24073f0]: SERVER HELLO (2) was received. Length 77[946], frag offset 0, frag length: 77, sequence: 0
|<4>| HSK[0x24073f0]: Server's version: 3.1
|<4>| HSK[0x24073f0]: SessionID length: 32
|<4>| HSK[0x24073f0]: SessionID: 000003031e05c5fea2ec00000000000000000000000000005b69ab4d00000001
|<4>| HSK[0x24073f0]: Selected cipher suite: RSA_3DES_EDE_CBC_SHA1
|<4>| HSK[0x24073f0]: Selected compression method: NULL (0)
|<4>| EXT[0x24073f0]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
|<4>| HSK[0x24073f0]: Safe renegotiation succeeded
|<3>| ASSERT: gnutls_buffers.c:1154
|<4>| HSK[0x24073f0]: CERTIFICATE (11) was received. Length 861[865], frag offset 0, frag length: 861, sequence: 0
|<3>| ASSERT: gnutls_buffers.c:1392
|<3>| ASSERT: extensions.c:65
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
|<3>| ASSERT: dn.c:250
|<3>| ASSERT: dn.c:250
|<3>| ASSERT: extensions.c:65
- subject `<example.cert>', RSA key 1024 bits, signed using RSA-SHA1, activated `2009-09-10 00:00:00 UTC', expires `2021-04-24 23:59:59 UTC', SHA-1 fingerprint `555555555555555555555555555555555555555'
Public Key ID:
PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Public key's random art:
+--[ RSA 1024]----+
| o.o |
| .= E.|
| .B.o|
| .= |
| S = .|
| . o . .= |
| . . . oo.|
| . o+|
| .o.|
+-----------------+
|<3>| ASSERT: gnutls_buffers.c:1154
|<4>| HSK[0x24073f0]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0
|<3>| ASSERT: gnutls_buffers.c:1145
|<3>| ASSERT: gnutls_buffers.c:1392
|<3>| ASSERT: gnutls_buffers.c:1374
|<3>| ASSERT: extensions.c:65
|<4>| HSK[0x24073f0]: CLIENT KEY EXCHANGE was queued [134 bytes]
|<4>| REC[0x24073f0]: Sent ChangeCipherSpec
|<5>| REC[0x24073f0]: Initializing epoch #1
|<5>| REC[0x24073f0]: Epoch #1 ready
|<4>| HSK[0x24073f0]: Cipher Suite: RSA_3DES_EDE_CBC_SHA1
|<4>| HSK[0x24073f0]: Initializing internal [write] cipher sessions
|<4>| HSK[0x24073f0]: recording tls-unique CB (send)
|<4>| HSK[0x24073f0]: FINISHED was queued [16 bytes]
|<5>| REC[0x24073f0]: Preparing Packet Handshake(22) with length: 134 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[2] Handshake(22) in epoch 0 and length: 139
|<5>| REC[0x24073f0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[3] ChangeCipherSpec(20) in epoch 0 and length: 6
|<5>| REC[0x24073f0]: Preparing Packet Handshake(22) with length: 16 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 45
|<5>| REC[0x24073f0]: SSL 3.1 ChangeCipherSpec packet received. Epoch 0, length: 1
|<5>| REC[0x24073f0]: Expected Packet ChangeCipherSpec(20)
|<5>| REC[0x24073f0]: Received Packet ChangeCipherSpec(20) with length: 1
|<5>| REC[0x24073f0]: Decrypted Packet[1] ChangeCipherSpec(20) with length: 1
|<4>| HSK[0x24073f0]: Cipher Suite: RSA_3DES_EDE_CBC_SHA1
|<3>| ASSERT: gnutls_buffers.c:1154
|<5>| REC[0x24073f0]: SSL 3.1 Handshake packet received. Epoch 0, length: 40
|<5>| REC[0x24073f0]: Expected Packet Handshake(22)
|<5>| REC[0x24073f0]: Received Packet Handshake(22) with length: 40
|<5>| REC[0x24073f0]: Decrypted Packet[0] Handshake(22) with length: 16
|<4>| HSK[0x24073f0]: FINISHED (20) was received. Length 12[12], frag offset 0, frag length: 12, sequence: 0
|<5>| REC[0x24073f0]: Start of epoch cleanup
|<5>| REC[0x24073f0]: Epoch #0 freed
|<5>| REC[0x24073f0]: End of epoch cleanup
- Description: (TLS1.0)-(RSA)-(3DES-CBC)-(SHA1)
- Session ID: 00:00:03:03:1E:05:C5:FE:A2:EC:00:00:00:00:00:00:00:00:00:00:00:00:00:00:5B:69:AB:4D:00:00:00:01
|<3>| ASSERT: server_name.c:298
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: 3DES-CBC
- MAC: SHA1
- Compression: NULL
|<3>| ASSERT: status_request.c:350
|<3>| ASSERT: gnutls_ui.c:797
- Options: safe renegotiation,
|<3>| ASSERT: srtp.c:317
|<3>| ASSERT: alpn.c:227
- Handshake was completed
|<3>| ASSERT: status_request.c:350
- Simple Client Mode:
ubuntu ssl lftp gnutls
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have a specific ftps site that I cannot connect to with lftp.
When I attempt to connect I get the error:
Fatal error: gnutls_handshake: An unexpected TLS packet was received
When I use gnutls-cli to connect I have found the correct settings to negotiate and actually issue a USER command. What I am asking for is any pointers to the correct lftp configuration for the gnutls part so that it can authenticate correctly.
UPDATE: What I see happening is that when using gnutls-cli it selects the right MAC and cipher to be used:
|<4>| HSK[0x24073f0]: Selected cipher suite: RSA_3DES_EDE_CBC_SHA1
Unlike when being called from lftp is does not:
GNUTLS: ENC[0x1918cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
Below are my configurations and debug outputs from lftp and gnutls-cli:
lftp Configuration
lftp
set ssl:priority NORMAL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2
set ftps:initial-prot P
set ftp:ssl-allow yes
set ftp:ssl-force yes
set ftp:ssl-protect-list yes
set ftp:ssl-protect-data yes
set ftp:ssl-protect-fxp yes
set ssl:verify-certificate no
debug 999999999
open ftps://XXX.XXX.XXX.XXX:990
quote USER <username>
gnutls-cli Configuration
gnutls-cli --starttls-proto=ftp XXX.XXX.XXX.XXX -p 990 --no-ca-verification -d 5
*Some aspects have been anonomized, but nothing about the protocols *
lftp debug output
lftp
lftp :~> set ssl:priority NORMAL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2
lftp :~> set ftps:initial-prot P
lftp :~> set ftp:ssl-allow yes
lftp :~> set ftp:ssl-force yes
lftp :~> set ftp:ssl-protect-list yes
lftp :~> set ftp:ssl-protect-data yes
lftp :~> set ftp:ssl-protect-fxp yes
lftp :~> set ssl:verify-certificate no
lftp :~> debug 999999999
lftp :~> open ftps://XXX.XXX.XXX.XXX:990
---- Resolving host address...
buffer: EOF on FD 5
---- 1 address found: XXX.XXX.XXX.XXX
lftp XXX.XXX.XXX.XXX:~> quote USER <username>
FileCopy(0x1475a50) enters state INITIAL
FileCopy(0x1475a50) enters state DO_COPY
---- dns cache hit
---- attempt number 1 (max_retries=1000)
---- Connecting to XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX) port 990
GNUTLS: ASSERT: common.c:1110
..............
GNUTLS: REC[0x1918cd0]: Allocating epoch #0
GNUTLS: ASSERT: gnutls_constate.c:596
GNUTLS: REC[0x1918cd0]: Allocating epoch #1
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
GNUTLS: EXT[0x1918cd0]: Sending extension EXT MASTER SECRET (0 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension ENCRYPT THEN MAC (0 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension STATUS REQUEST (5 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SERVER NAME (17 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SAFE RENEGOTIATION (1 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SESSION TICKET (0 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SUPPORTED ECC (12 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
GNUTLS: EXT[0x1918cd0]: sent signature algo (4.1) RSA-SHA256
GNUTLS: EXT[0x1918cd0]: sent signature algo (4.3) ECDSA-SHA256
GNUTLS: EXT[0x1918cd0]: sent signature algo (5.1) RSA-SHA384
GNUTLS: EXT[0x1918cd0]: sent signature algo (5.3) ECDSA-SHA384
GNUTLS: EXT[0x1918cd0]: sent signature algo (6.1) RSA-SHA512
GNUTLS: EXT[0x1918cd0]: sent signature algo (6.3) ECDSA-SHA512
GNUTLS: EXT[0x1918cd0]: sent signature algo (3.1) RSA-SHA224
GNUTLS: EXT[0x1918cd0]: sent signature algo (3.3) ECDSA-SHA224
GNUTLS: EXT[0x1918cd0]: sent signature algo (2.1) RSA-SHA1
GNUTLS: EXT[0x1918cd0]: sent signature algo (2.3) ECDSA-SHA1
GNUTLS: EXT[0x1918cd0]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
GNUTLS: HSK[0x1918cd0]: CLIENT HELLO was queued [248 bytes]
GNUTLS: REC[0x1918cd0]: Preparing Packet Handshake(22) with length: 248 and min pad: 0
GNUTLS: ENC[0x1918cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
GNUTLS: REC[0x1918cd0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 253
GNUTLS: ASSERT: gnutls_buffers.c:1154
GNUTLS: REC[0x1918cd0]: SSL 50.48 Unknown Packet packet received. Epoch 0, length: 11603
GNUTLS: ASSERT: gnutls_record.c:572
GNUTLS: Received record packet of unknown type 50
GNUTLS: ASSERT: gnutls_record.c:1076
GNUTLS: ASSERT: gnutls_record.c:1158
GNUTLS: ASSERT: gnutls_buffers.c:1409
GNUTLS: ASSERT: gnutls_handshake.c:1446
GNUTLS: ASSERT: gnutls_handshake.c:2762
**** gnutls_handshake: An unexpected TLS packet was received.
GNUTLS: REC[0x1918cd0]: Start of epoch cleanup
GNUTLS: REC[0x1918cd0]: End of epoch cleanup
GNUTLS: REC[0x1918cd0]: Epoch #0 freed
GNUTLS: REC[0x1918cd0]: Epoch #1 freed
---- Closing control socket
quote: USER <username>: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
gnutls-cli debug output
gnutls-cli --starttls-proto=ftp XXX.XXX.XXX.XXX -p 990 --no-ca-verification -d 5
|<3>| ASSERT: common.c:1110...
Processed 173 CA certificate(s).
Resolving 'XXX.XXX.XXX.XXX'...
Connecting to 'XXX.XXX.XXX.XXX:990'...
|<5>| REC[0x24073f0]: Allocating epoch #0
|<3>| ASSERT: gnutls_constate.c:596
|<5>| REC[0x24073f0]: Allocating epoch #1
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
|<4>| EXT[0x24073f0]: Sending extension EXT MASTER SECRET (0 bytes)
|<4>| EXT[0x24073f0]: Sending extension ENCRYPT THEN MAC (0 bytes)
|<4>| EXT[0x24073f0]: Sending extension STATUS REQUEST (5 bytes)
|<4>| EXT[0x24073f0]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<4>| EXT[0x24073f0]: Sending extension SESSION TICKET (0 bytes)
|<4>| EXT[0x24073f0]: Sending extension SUPPORTED ECC (12 bytes)
|<4>| EXT[0x24073f0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
|<4>| EXT[0x24073f0]: sent signature algo (4.1) RSA-SHA256
|<4>| EXT[0x24073f0]: sent signature algo (4.3) ECDSA-SHA256
|<4>| EXT[0x24073f0]: sent signature algo (5.1) RSA-SHA384
|<4>| EXT[0x24073f0]: sent signature algo (5.3) ECDSA-SHA384
|<4>| EXT[0x24073f0]: sent signature algo (6.1) RSA-SHA512
|<4>| EXT[0x24073f0]: sent signature algo (6.3) ECDSA-SHA512
|<4>| EXT[0x24073f0]: sent signature algo (3.1) RSA-SHA224
|<4>| EXT[0x24073f0]: sent signature algo (3.3) ECDSA-SHA224
|<4>| EXT[0x24073f0]: sent signature algo (2.1) RSA-SHA1
|<4>| EXT[0x24073f0]: sent signature algo (2.3) ECDSA-SHA1
|<4>| EXT[0x24073f0]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
|<4>| HSK[0x24073f0]: CLIENT HELLO was queued [227 bytes]
|<5>| REC[0x24073f0]: Preparing Packet Handshake(22) with length: 227 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 232
|<3>| ASSERT: gnutls_buffers.c:1154
|<5>| REC[0x24073f0]: SSL 3.1 Handshake packet received. Epoch 0, length: 950
|<5>| REC[0x24073f0]: Expected Packet Handshake(22)
|<5>| REC[0x24073f0]: Received Packet Handshake(22) with length: 950
|<5>| REC[0x24073f0]: Decrypted Packet[0] Handshake(22) with length: 950
|<4>| HSK[0x24073f0]: SERVER HELLO (2) was received. Length 77[946], frag offset 0, frag length: 77, sequence: 0
|<4>| HSK[0x24073f0]: Server's version: 3.1
|<4>| HSK[0x24073f0]: SessionID length: 32
|<4>| HSK[0x24073f0]: SessionID: 000003031e05c5fea2ec00000000000000000000000000005b69ab4d00000001
|<4>| HSK[0x24073f0]: Selected cipher suite: RSA_3DES_EDE_CBC_SHA1
|<4>| HSK[0x24073f0]: Selected compression method: NULL (0)
|<4>| EXT[0x24073f0]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
|<4>| HSK[0x24073f0]: Safe renegotiation succeeded
|<3>| ASSERT: gnutls_buffers.c:1154
|<4>| HSK[0x24073f0]: CERTIFICATE (11) was received. Length 861[865], frag offset 0, frag length: 861, sequence: 0
|<3>| ASSERT: gnutls_buffers.c:1392
|<3>| ASSERT: extensions.c:65
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
|<3>| ASSERT: dn.c:250
|<3>| ASSERT: dn.c:250
|<3>| ASSERT: extensions.c:65
- subject `<example.cert>', RSA key 1024 bits, signed using RSA-SHA1, activated `2009-09-10 00:00:00 UTC', expires `2021-04-24 23:59:59 UTC', SHA-1 fingerprint `555555555555555555555555555555555555555'
Public Key ID:
PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Public key's random art:
+--[ RSA 1024]----+
| o.o |
| .= E.|
| .B.o|
| .= |
| S = .|
| . o . .= |
| . . . oo.|
| . o+|
| .o.|
+-----------------+
|<3>| ASSERT: gnutls_buffers.c:1154
|<4>| HSK[0x24073f0]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0
|<3>| ASSERT: gnutls_buffers.c:1145
|<3>| ASSERT: gnutls_buffers.c:1392
|<3>| ASSERT: gnutls_buffers.c:1374
|<3>| ASSERT: extensions.c:65
|<4>| HSK[0x24073f0]: CLIENT KEY EXCHANGE was queued [134 bytes]
|<4>| REC[0x24073f0]: Sent ChangeCipherSpec
|<5>| REC[0x24073f0]: Initializing epoch #1
|<5>| REC[0x24073f0]: Epoch #1 ready
|<4>| HSK[0x24073f0]: Cipher Suite: RSA_3DES_EDE_CBC_SHA1
|<4>| HSK[0x24073f0]: Initializing internal [write] cipher sessions
|<4>| HSK[0x24073f0]: recording tls-unique CB (send)
|<4>| HSK[0x24073f0]: FINISHED was queued [16 bytes]
|<5>| REC[0x24073f0]: Preparing Packet Handshake(22) with length: 134 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[2] Handshake(22) in epoch 0 and length: 139
|<5>| REC[0x24073f0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[3] ChangeCipherSpec(20) in epoch 0 and length: 6
|<5>| REC[0x24073f0]: Preparing Packet Handshake(22) with length: 16 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 45
|<5>| REC[0x24073f0]: SSL 3.1 ChangeCipherSpec packet received. Epoch 0, length: 1
|<5>| REC[0x24073f0]: Expected Packet ChangeCipherSpec(20)
|<5>| REC[0x24073f0]: Received Packet ChangeCipherSpec(20) with length: 1
|<5>| REC[0x24073f0]: Decrypted Packet[1] ChangeCipherSpec(20) with length: 1
|<4>| HSK[0x24073f0]: Cipher Suite: RSA_3DES_EDE_CBC_SHA1
|<3>| ASSERT: gnutls_buffers.c:1154
|<5>| REC[0x24073f0]: SSL 3.1 Handshake packet received. Epoch 0, length: 40
|<5>| REC[0x24073f0]: Expected Packet Handshake(22)
|<5>| REC[0x24073f0]: Received Packet Handshake(22) with length: 40
|<5>| REC[0x24073f0]: Decrypted Packet[0] Handshake(22) with length: 16
|<4>| HSK[0x24073f0]: FINISHED (20) was received. Length 12[12], frag offset 0, frag length: 12, sequence: 0
|<5>| REC[0x24073f0]: Start of epoch cleanup
|<5>| REC[0x24073f0]: Epoch #0 freed
|<5>| REC[0x24073f0]: End of epoch cleanup
- Description: (TLS1.0)-(RSA)-(3DES-CBC)-(SHA1)
- Session ID: 00:00:03:03:1E:05:C5:FE:A2:EC:00:00:00:00:00:00:00:00:00:00:00:00:00:00:5B:69:AB:4D:00:00:00:01
|<3>| ASSERT: server_name.c:298
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: 3DES-CBC
- MAC: SHA1
- Compression: NULL
|<3>| ASSERT: status_request.c:350
|<3>| ASSERT: gnutls_ui.c:797
- Options: safe renegotiation,
|<3>| ASSERT: srtp.c:317
|<3>| ASSERT: alpn.c:227
- Handshake was completed
|<3>| ASSERT: status_request.c:350
- Simple Client Mode:
ubuntu ssl lftp gnutls
I have a specific ftps site that I cannot connect to with lftp.
When I attempt to connect I get the error:
Fatal error: gnutls_handshake: An unexpected TLS packet was received
When I use gnutls-cli to connect I have found the correct settings to negotiate and actually issue a USER command. What I am asking for is any pointers to the correct lftp configuration for the gnutls part so that it can authenticate correctly.
UPDATE: What I see happening is that when using gnutls-cli it selects the right MAC and cipher to be used:
|<4>| HSK[0x24073f0]: Selected cipher suite: RSA_3DES_EDE_CBC_SHA1
Unlike when being called from lftp is does not:
GNUTLS: ENC[0x1918cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
Below are my configurations and debug outputs from lftp and gnutls-cli:
lftp Configuration
lftp
set ssl:priority NORMAL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2
set ftps:initial-prot P
set ftp:ssl-allow yes
set ftp:ssl-force yes
set ftp:ssl-protect-list yes
set ftp:ssl-protect-data yes
set ftp:ssl-protect-fxp yes
set ssl:verify-certificate no
debug 999999999
open ftps://XXX.XXX.XXX.XXX:990
quote USER <username>
gnutls-cli Configuration
gnutls-cli --starttls-proto=ftp XXX.XXX.XXX.XXX -p 990 --no-ca-verification -d 5
*Some aspects have been anonomized, but nothing about the protocols *
lftp debug output
lftp
lftp :~> set ssl:priority NORMAL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2
lftp :~> set ftps:initial-prot P
lftp :~> set ftp:ssl-allow yes
lftp :~> set ftp:ssl-force yes
lftp :~> set ftp:ssl-protect-list yes
lftp :~> set ftp:ssl-protect-data yes
lftp :~> set ftp:ssl-protect-fxp yes
lftp :~> set ssl:verify-certificate no
lftp :~> debug 999999999
lftp :~> open ftps://XXX.XXX.XXX.XXX:990
---- Resolving host address...
buffer: EOF on FD 5
---- 1 address found: XXX.XXX.XXX.XXX
lftp XXX.XXX.XXX.XXX:~> quote USER <username>
FileCopy(0x1475a50) enters state INITIAL
FileCopy(0x1475a50) enters state DO_COPY
---- dns cache hit
---- attempt number 1 (max_retries=1000)
---- Connecting to XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX) port 990
GNUTLS: ASSERT: common.c:1110
..............
GNUTLS: REC[0x1918cd0]: Allocating epoch #0
GNUTLS: ASSERT: gnutls_constate.c:596
GNUTLS: REC[0x1918cd0]: Allocating epoch #1
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
GNUTLS: EXT[0x1918cd0]: Sending extension EXT MASTER SECRET (0 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension ENCRYPT THEN MAC (0 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension STATUS REQUEST (5 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SERVER NAME (17 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SAFE RENEGOTIATION (1 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SESSION TICKET (0 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SUPPORTED ECC (12 bytes)
GNUTLS: EXT[0x1918cd0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
GNUTLS: EXT[0x1918cd0]: sent signature algo (4.1) RSA-SHA256
GNUTLS: EXT[0x1918cd0]: sent signature algo (4.3) ECDSA-SHA256
GNUTLS: EXT[0x1918cd0]: sent signature algo (5.1) RSA-SHA384
GNUTLS: EXT[0x1918cd0]: sent signature algo (5.3) ECDSA-SHA384
GNUTLS: EXT[0x1918cd0]: sent signature algo (6.1) RSA-SHA512
GNUTLS: EXT[0x1918cd0]: sent signature algo (6.3) ECDSA-SHA512
GNUTLS: EXT[0x1918cd0]: sent signature algo (3.1) RSA-SHA224
GNUTLS: EXT[0x1918cd0]: sent signature algo (3.3) ECDSA-SHA224
GNUTLS: EXT[0x1918cd0]: sent signature algo (2.1) RSA-SHA1
GNUTLS: EXT[0x1918cd0]: sent signature algo (2.3) ECDSA-SHA1
GNUTLS: EXT[0x1918cd0]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
GNUTLS: HSK[0x1918cd0]: CLIENT HELLO was queued [248 bytes]
GNUTLS: REC[0x1918cd0]: Preparing Packet Handshake(22) with length: 248 and min pad: 0
GNUTLS: ENC[0x1918cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
GNUTLS: REC[0x1918cd0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 253
GNUTLS: ASSERT: gnutls_buffers.c:1154
GNUTLS: REC[0x1918cd0]: SSL 50.48 Unknown Packet packet received. Epoch 0, length: 11603
GNUTLS: ASSERT: gnutls_record.c:572
GNUTLS: Received record packet of unknown type 50
GNUTLS: ASSERT: gnutls_record.c:1076
GNUTLS: ASSERT: gnutls_record.c:1158
GNUTLS: ASSERT: gnutls_buffers.c:1409
GNUTLS: ASSERT: gnutls_handshake.c:1446
GNUTLS: ASSERT: gnutls_handshake.c:2762
**** gnutls_handshake: An unexpected TLS packet was received.
GNUTLS: REC[0x1918cd0]: Start of epoch cleanup
GNUTLS: REC[0x1918cd0]: End of epoch cleanup
GNUTLS: REC[0x1918cd0]: Epoch #0 freed
GNUTLS: REC[0x1918cd0]: Epoch #1 freed
---- Closing control socket
quote: USER <username>: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
gnutls-cli debug output
gnutls-cli --starttls-proto=ftp XXX.XXX.XXX.XXX -p 990 --no-ca-verification -d 5
|<3>| ASSERT: common.c:1110...
Processed 173 CA certificate(s).
Resolving 'XXX.XXX.XXX.XXX'...
Connecting to 'XXX.XXX.XXX.XXX:990'...
|<5>| REC[0x24073f0]: Allocating epoch #0
|<3>| ASSERT: gnutls_constate.c:596
|<5>| REC[0x24073f0]: Allocating epoch #1
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
|<4>| HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
|<4>| EXT[0x24073f0]: Sending extension EXT MASTER SECRET (0 bytes)
|<4>| EXT[0x24073f0]: Sending extension ENCRYPT THEN MAC (0 bytes)
|<4>| EXT[0x24073f0]: Sending extension STATUS REQUEST (5 bytes)
|<4>| EXT[0x24073f0]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<4>| EXT[0x24073f0]: Sending extension SESSION TICKET (0 bytes)
|<4>| EXT[0x24073f0]: Sending extension SUPPORTED ECC (12 bytes)
|<4>| EXT[0x24073f0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
|<4>| EXT[0x24073f0]: sent signature algo (4.1) RSA-SHA256
|<4>| EXT[0x24073f0]: sent signature algo (4.3) ECDSA-SHA256
|<4>| EXT[0x24073f0]: sent signature algo (5.1) RSA-SHA384
|<4>| EXT[0x24073f0]: sent signature algo (5.3) ECDSA-SHA384
|<4>| EXT[0x24073f0]: sent signature algo (6.1) RSA-SHA512
|<4>| EXT[0x24073f0]: sent signature algo (6.3) ECDSA-SHA512
|<4>| EXT[0x24073f0]: sent signature algo (3.1) RSA-SHA224
|<4>| EXT[0x24073f0]: sent signature algo (3.3) ECDSA-SHA224
|<4>| EXT[0x24073f0]: sent signature algo (2.1) RSA-SHA1
|<4>| EXT[0x24073f0]: sent signature algo (2.3) ECDSA-SHA1
|<4>| EXT[0x24073f0]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
|<4>| HSK[0x24073f0]: CLIENT HELLO was queued [227 bytes]
|<5>| REC[0x24073f0]: Preparing Packet Handshake(22) with length: 227 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 232
|<3>| ASSERT: gnutls_buffers.c:1154
|<5>| REC[0x24073f0]: SSL 3.1 Handshake packet received. Epoch 0, length: 950
|<5>| REC[0x24073f0]: Expected Packet Handshake(22)
|<5>| REC[0x24073f0]: Received Packet Handshake(22) with length: 950
|<5>| REC[0x24073f0]: Decrypted Packet[0] Handshake(22) with length: 950
|<4>| HSK[0x24073f0]: SERVER HELLO (2) was received. Length 77[946], frag offset 0, frag length: 77, sequence: 0
|<4>| HSK[0x24073f0]: Server's version: 3.1
|<4>| HSK[0x24073f0]: SessionID length: 32
|<4>| HSK[0x24073f0]: SessionID: 000003031e05c5fea2ec00000000000000000000000000005b69ab4d00000001
|<4>| HSK[0x24073f0]: Selected cipher suite: RSA_3DES_EDE_CBC_SHA1
|<4>| HSK[0x24073f0]: Selected compression method: NULL (0)
|<4>| EXT[0x24073f0]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
|<4>| HSK[0x24073f0]: Safe renegotiation succeeded
|<3>| ASSERT: gnutls_buffers.c:1154
|<4>| HSK[0x24073f0]: CERTIFICATE (11) was received. Length 861[865], frag offset 0, frag length: 861, sequence: 0
|<3>| ASSERT: gnutls_buffers.c:1392
|<3>| ASSERT: extensions.c:65
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
|<3>| ASSERT: dn.c:250
|<3>| ASSERT: dn.c:250
|<3>| ASSERT: extensions.c:65
- subject `<example.cert>', RSA key 1024 bits, signed using RSA-SHA1, activated `2009-09-10 00:00:00 UTC', expires `2021-04-24 23:59:59 UTC', SHA-1 fingerprint `555555555555555555555555555555555555555'
Public Key ID:
PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Public key's random art:
+--[ RSA 1024]----+
| o.o |
| .= E.|
| .B.o|
| .= |
| S = .|
| . o . .= |
| . . . oo.|
| . o+|
| .o.|
+-----------------+
|<3>| ASSERT: gnutls_buffers.c:1154
|<4>| HSK[0x24073f0]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0
|<3>| ASSERT: gnutls_buffers.c:1145
|<3>| ASSERT: gnutls_buffers.c:1392
|<3>| ASSERT: gnutls_buffers.c:1374
|<3>| ASSERT: extensions.c:65
|<4>| HSK[0x24073f0]: CLIENT KEY EXCHANGE was queued [134 bytes]
|<4>| REC[0x24073f0]: Sent ChangeCipherSpec
|<5>| REC[0x24073f0]: Initializing epoch #1
|<5>| REC[0x24073f0]: Epoch #1 ready
|<4>| HSK[0x24073f0]: Cipher Suite: RSA_3DES_EDE_CBC_SHA1
|<4>| HSK[0x24073f0]: Initializing internal [write] cipher sessions
|<4>| HSK[0x24073f0]: recording tls-unique CB (send)
|<4>| HSK[0x24073f0]: FINISHED was queued [16 bytes]
|<5>| REC[0x24073f0]: Preparing Packet Handshake(22) with length: 134 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[2] Handshake(22) in epoch 0 and length: 139
|<5>| REC[0x24073f0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[3] ChangeCipherSpec(20) in epoch 0 and length: 6
|<5>| REC[0x24073f0]: Preparing Packet Handshake(22) with length: 16 and min pad: 0
|<5>| REC[0x24073f0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 45
|<5>| REC[0x24073f0]: SSL 3.1 ChangeCipherSpec packet received. Epoch 0, length: 1
|<5>| REC[0x24073f0]: Expected Packet ChangeCipherSpec(20)
|<5>| REC[0x24073f0]: Received Packet ChangeCipherSpec(20) with length: 1
|<5>| REC[0x24073f0]: Decrypted Packet[1] ChangeCipherSpec(20) with length: 1
|<4>| HSK[0x24073f0]: Cipher Suite: RSA_3DES_EDE_CBC_SHA1
|<3>| ASSERT: gnutls_buffers.c:1154
|<5>| REC[0x24073f0]: SSL 3.1 Handshake packet received. Epoch 0, length: 40
|<5>| REC[0x24073f0]: Expected Packet Handshake(22)
|<5>| REC[0x24073f0]: Received Packet Handshake(22) with length: 40
|<5>| REC[0x24073f0]: Decrypted Packet[0] Handshake(22) with length: 16
|<4>| HSK[0x24073f0]: FINISHED (20) was received. Length 12[12], frag offset 0, frag length: 12, sequence: 0
|<5>| REC[0x24073f0]: Start of epoch cleanup
|<5>| REC[0x24073f0]: Epoch #0 freed
|<5>| REC[0x24073f0]: End of epoch cleanup
- Description: (TLS1.0)-(RSA)-(3DES-CBC)-(SHA1)
- Session ID: 00:00:03:03:1E:05:C5:FE:A2:EC:00:00:00:00:00:00:00:00:00:00:00:00:00:00:5B:69:AB:4D:00:00:00:01
|<3>| ASSERT: server_name.c:298
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: 3DES-CBC
- MAC: SHA1
- Compression: NULL
|<3>| ASSERT: status_request.c:350
|<3>| ASSERT: gnutls_ui.c:797
- Options: safe renegotiation,
|<3>| ASSERT: srtp.c:317
|<3>| ASSERT: alpn.c:227
- Handshake was completed
|<3>| ASSERT: status_request.c:350
- Simple Client Mode:
ubuntu ssl lftp gnutls
ubuntu ssl lftp gnutls
edited Aug 8 at 17:03
asked Aug 7 at 14:32
Ptier
62
62
add a comment |Â
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f461085%2fubuntu-lftp-will-not-connect-to-ftps-site-fatal-error-gnutls-handshake-an-u%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password